[DO NOT MERGE] Azure Explicit Max TTL run CI tests

CHANGELOG.md

@@ -3,6 +3,7 @@
 FEATURES:
 
 * Add support for `recursive` search in `data_vault_namespaces` [#2408](https://github.com/hashicorp/terraform-provider-vault/pull/2408)
+* Add support for `explicit_max_ttl` in `vault_azure_secret_backend_role` resources. Requires Vault 1.18+ ([#2438](https://github.com/hashicorp/terraform-provider-vault/pull/2438)).
 
 ## 4.7.0 (Mar 12, 2025)
 

vault/resource_azure_secret_backend_role.go

@@ -120,6 +120,11 @@ func azureSecretBackendRoleResource() *schema.Resource {
 				Optional:    true,
 				Description: "Human-friendly description of the mount for the backend.",
 			},
+			consts.FieldExplicitMaxTTL: {
+				Type:        schema.TypeString,
+				Optional:    true,
+				Description: "Specifies the explicit maximum lifetime of the lease and service principal.",
+			},
 			consts.FieldSignInAudience: {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -183,6 +188,13 @@ func azureSecretBackendRoleUpdateFields(_ context.Context, d *schema.ResourceDat
 		}
 	}
 
+	useAPIVer118 := provider.IsAPISupported(meta, provider.VaultVersion118)
+	if useAPIVer118 {
+		if v, ok := d.GetOk(consts.FieldExplicitMaxTTL); ok && v != "" {
+			data[consts.FieldExplicitMaxTTL] = v
+		}
+	}
+
 	useAPIVer116 := provider.IsAPISupported(meta, provider.VaultVersion116)
 	if useAPIVer116 {
 		if v, ok := d.GetOk(consts.FieldSignInAudience); ok && v != "" {
@@ -267,6 +279,13 @@ func azureSecretBackendRoleRead(_ context.Context, d *schema.ResourceData, meta
 		}
 	}
 
+	useAPIVer118 := provider.IsAPISupported(meta, provider.VaultVersion118)
+	if useAPIVer118 {
+		if err := d.Set(consts.FieldExplicitMaxTTL, resp.Data[consts.FieldExplicitMaxTTL]); err != nil {
+			return diag.FromErr(err)
+		}
+	}
+
 	useAPIVer116 := provider.IsAPISupported(meta, provider.VaultVersion116)
 	if useAPIVer116 {
 		if err := d.Set(consts.FieldSignInAudience, resp.Data[consts.FieldSignInAudience]); err != nil {

vault/resource_azure_secret_backend_role_test.go

@@ -66,6 +66,14 @@ func TestAzureSecretBackendRole_AzureRoles(t *testing.T) {
 			resource.TestCheckResourceAttr(resourceName+".test_azure_roles", "tags.1", "project:vault_testing"))
 	}
 
+	isVaultVersion118 := provider.IsAPISupported(testProvider.Meta(), provider.VaultVersion118)
+	if !isVaultVersion118 {
+		azureRoleInitialCheckFuncs = append(azureRoleInitialCheckFuncs,
+			resource.TestCheckResourceAttr(resourceName+".test_azure_roles", "explicit_max_ttl", "0"))
+		azureRoleUpdatedCheckFuncs = append(azureRoleUpdatedCheckFuncs,
+			resource.TestCheckResourceAttr(resourceName+".test_azure_roles", "explicit_max_ttl", "2592000"))
+	}
+
 	resource.Test(t, resource.TestCase{
 		ProviderFactories: providerFactories,
 		PreCheck: func() {
@@ -208,7 +216,8 @@ resource "vault_azure_secret_backend_role" "test_azure_roles" {
  role             = "%[6]s-azure-roles"
  ttl              = 300
  max_ttl          = 600
- description	   = "Test for Vault Provider"
+ explicit_max_ttl = 0
+ description	  = "Test for Vault Provider"
  sign_in_audience = "AzureADMyOrg"
  tags             = ["team:engineering"]
 
@@ -259,6 +268,7 @@ resource "vault_azure_secret_backend_role" "test_azure_roles" {
   role        	   = "%[6]s-azure-roles"
   ttl        	   = 600
   max_ttl    	   = 900
+  explicit_max_ttl = 2592000
   description 	   = "Test for Vault Provider"
   sign_in_audience = "AzureADMultipleOrgs"
   tags       	   = ["environment:development","project:vault_testing"]
@@ -306,11 +316,14 @@ resource "vault_azure_secret_backend" "azure" {
 }
 
 resource "vault_azure_secret_backend_role" "test_azure_roles" {
-  backend     = vault_azure_secret_backend.azure.path
-  role        = "%[6]s-azure-roles"
-  ttl         = 300
-  max_ttl     = 600
-  description = "Test for Vault Provider"
+  backend          = vault_azure_secret_backend.azure.path
+  role             = "%[6]s-azure-roles"
+  ttl              = 300
+  max_ttl          = 600
+  explicit_max_ttl = 0
+  description      = "Test for Vault Provider"
+  sign_in_audience = "AzureADMultipleOrgs"
+  tags       	   = ["environment:development","project:vault_testing"]
 
   azure_roles {
     role_name = "Reader"

website/docs/r/azure_secret_backend_role.html.md

@@ -73,6 +73,7 @@ The following arguments are supported:
   Accepts time suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine default TTL time.
 * `max_ttl` – (Optional) Specifies the maximum TTL for service principals generated using this role. Accepts time
   suffixed strings ("1h") or an integer number of seconds. Defaults to the system/engine max TTL time.
+* `explicit_max_ttl` - (Optional) Specifies the explicit maximum lifetime of the lease and service principal generated using this role. If not set or set to 0, will use the system default (10 years).
 * `sign_in_audience` - (Optional) Specifies the security principal types that are allowed to sign in to the application.
   Valid values are: AzureADMyOrg, AzureADMultipleOrgs, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount. Requires Vault 1.16+.
 * `tags` - (Optional) - A list of Azure tags to attach to an application. Requires Vault 1.16+.